diff -Nru drupal6-6.12/CHANGELOG.txt drupal6-6.14/CHANGELOG.txt --- drupal6-6.12/CHANGELOG.txt 2009-05-13 15:11:04.000000000 -0400 +++ drupal6-6.14/CHANGELOG.txt 2009-09-16 15:34:13.000000000 -0400 @@ -1,4 +1,19 @@ -// $Id: CHANGELOG.txt,v 1.253.2.29 2009/05/13 19:11:04 goba Exp $ +// $Id: CHANGELOG.txt,v 1.253.2.33 2009/09/16 19:34:13 goba Exp $ + +Drupal 6.14, 2009-09-16 +---------------------- +- Fixed security issues (OpenID association cross site request forgeries, + OpenID impersonation and File upload), see SA-CORE-2009-008. +- Changed the system modules page to not run all cache rebuilds; use the + button on the performance settings page to achieve the same effect. +- Added support for PHP 5.3.0 out of the box. +- Fixed a variety of small bugs. + +Drupal 6.13, 2009-07-01 +---------------------- +- Fixed security issues (Cross site scripting, Input format access bypass and + Password leakage in URL), see SA-CORE-2009-007. +- Fixed a variety of small bugs. Drupal 6.12, 2009-05-13 ---------------------- @@ -186,6 +201,17 @@ - Removed old system updates. Updates from Drupal versions prior to 5.x will require upgrading to 5.x before upgrading to 6.x. +Drupal 5.20, 2009-09-16 +----------------------- +- Avoid security problems resulting from writing Drupal 6-style menu declarations. +- Fixed security issues (session fixation), see SA-CORE-2009-008. +- Fixed a variety of small bugs. + +Drupal 5.19, 2009-07-01 +----------------------- +- Fixed security issues (Cross site scripting and Password leakage in URL), see SA-CORE-2009-007. +- Fixed a variety of small bugs. + Drupal 5.18, 2009-05-13 ---------------------- - Fixed security issues (Cross site scripting), see SA-CORE-2009-006. diff -Nru drupal6-6.12/COPYRIGHT.txt drupal6-6.14/COPYRIGHT.txt --- drupal6-6.12/COPYRIGHT.txt 2008-02-06 07:45:55.000000000 -0500 +++ drupal6-6.14/COPYRIGHT.txt 2009-09-14 08:50:38.000000000 -0400 @@ -1,6 +1,6 @@ -// $Id: COPYRIGHT.txt,v 1.2.2.1 2008/02/06 12:45:55 goba Exp $ +// $Id: COPYRIGHT.txt,v 1.2.2.2 2009/09/14 12:50:38 goba Exp $ -All Drupal code is Copyright 2001 - 2008 by the original authors. +All Drupal code is Copyright 2001 - 2009 by the original authors. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -21,5 +21,5 @@ according to the terms of the GNU General Public License or a compatible license, including: - jQuery - Copyright (c) 2008 John Resig + jQuery - Copyright (c) 2008 - 2009 John Resig diff -Nru drupal6-6.12/debian/changelog drupal6-6.14/debian/changelog --- drupal6-6.12/debian/changelog 2009-09-19 03:19:55.000000000 -0400 +++ drupal6-6.14/debian/changelog 2009-09-19 03:19:56.000000000 -0400 @@ -1,3 +1,35 @@ +drupal6 (6.14-0ubuntu1) karmic; urgency=low + + * New upstream release. + - Fixes multiple security vulnerabilities. + + References: SA-CORE-2009-008 + + LP: #431078 + + -- T. Scott Testerman Wed, 16 Sep 2009 20:00:55 -0400 + +drupal6 (6.13-0ubuntu1) karmic; urgency=low + + * New upstream release. + - Fixes multiple security vulnerabilities. + + References: SA-CORE-2009-007, CVE-2009-2372, + CVE-2009-2373, CVE-2009-2374 + + LP: #395004 + - debian/patches/02_htaccess + + Enable ModRewrite. + + LP: #371187 + - debian/patches/10_cronjob + + Updated to current package version + - Removed security patch integrated upstream. + + debian/patches/20_SA-CORE-2009-007 + - debian/control + + Set Maintainer to Ubuntu Developers. + + Moved Debian maintainer to Original Maintainer. + + Fixed minor punctuation and grammar errors. + + Added "More information" statement to bring + into line with Drupal5 packages. + + -- T. Scott Testerman Thu, 10 Sep 2009 04:54:46 -0400 + drupal6 (6.12-1.1) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru drupal6-6.12/debian/control drupal6-6.14/debian/control --- drupal6-6.12/debian/control 2009-09-19 03:19:55.000000000 -0400 +++ drupal6-6.14/debian/control 2009-09-19 03:19:56.000000000 -0400 @@ -1,7 +1,8 @@ Source: drupal6 Section: web Priority: extra -Maintainer: Luigi Gangitano +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Luigi Gangitano Build-Depends: debhelper (>= 4), dpatch Homepage: http://www.drupal.org/ Standards-Version: 3.8.0 @@ -15,9 +16,10 @@ Description: a fully-featured content management framework Drupal is a dynamic web site platform which allows an individual or community of users to publish, manage and organize a variety of - content, Drupal integrates many popular features of content + content. Drupal integrates many popular features of content management systems, weblogs, collaborative tools and discussion-based community software into one easy-to-use package. . This package contains version 6 of Drupal. - + . + More infomation about Drupal is available at http://www.drupal.org diff -Nru drupal6-6.12/debian/patches/00list drupal6-6.14/debian/patches/00list --- drupal6-6.12/debian/patches/00list 2009-09-19 03:19:55.000000000 -0400 +++ drupal6-6.14/debian/patches/00list 2009-09-19 03:19:56.000000000 -0400 @@ -1,2 +1,2 @@ +02_htaccess 10_cronjob -20_SA-CORE-2009-007 diff -Nru drupal6-6.12/debian/patches/02_htaccess.dpatch drupal6-6.14/debian/patches/02_htaccess.dpatch --- drupal6-6.12/debian/patches/02_htaccess.dpatch 1969-12-31 19:00:00.000000000 -0500 +++ drupal6-6.14/debian/patches/02_htaccess.dpatch 2009-09-19 03:19:56.000000000 -0400 @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 02_htaccess.dpatch by T. Scott Testerman +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Enable ModRewrite + +@DPATCH@ +diff -urNad drupal6-6.13~/.htaccess drupal6-6.13/.htaccess +--- drupal6-6.13~/.htaccess 2008-12-10 15:04:08.000000000 -0500 ++++ drupal6-6.13/.htaccess 2009-09-10 04:40:50.000000000 -0400 +@@ -94,7 +94,7 @@ + # VirtualDocumentRoot and the rewrite rules are not working properly. + # For example if your site is at http://example.com/drupal uncomment and + # modify the following line: +- # RewriteBase /drupal ++ RewriteBase /drupal6 + # + # If your site is running in a VirtualDocumentRoot at http://example.com/, + # uncomment the following line: diff -Nru drupal6-6.12/debian/patches/10_cronjob.dpatch drupal6-6.14/debian/patches/10_cronjob.dpatch --- drupal6-6.12/debian/patches/10_cronjob.dpatch 2009-09-19 03:19:55.000000000 -0400 +++ drupal6-6.14/debian/patches/10_cronjob.dpatch 2009-09-19 03:19:56.000000000 -0400 @@ -5,10 +5,10 @@ ## DP: Disable reporting to system log every cron run @DPATCH@ -diff -urNad drupal6~/includes/common.inc drupal6/includes/common.inc ---- drupal6~/includes/common.inc 2008-02-18 12:32:44.000000000 +0100 -+++ drupal6/includes/common.inc 2008-02-18 12:37:09.000000000 +0100 -@@ -2540,7 +2540,7 @@ +diff -urNad drupal6-6.13~/includes/common.inc drupal6-6.13/includes/common.inc +--- drupal6-6.13~/includes/common.inc 2009-07-01 16:51:55.000000000 -0400 ++++ drupal6-6.13/includes/common.inc 2009-09-10 04:41:23.000000000 -0400 +@@ -2662,7 +2662,7 @@ // Record cron time variable_set('cron_last', time()); diff -Nru drupal6-6.12/debian/patches/20_SA-CORE-2009-007.dpatch drupal6-6.14/debian/patches/20_SA-CORE-2009-007.dpatch --- drupal6-6.12/debian/patches/20_SA-CORE-2009-007.dpatch 2009-09-19 03:19:55.000000000 -0400 +++ drupal6-6.14/debian/patches/20_SA-CORE-2009-007.dpatch 1969-12-31 19:00:00.000000000 -0500 @@ -1,202 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## 20_SA-CORE-2009-007.dpatch by Nico Golde -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: SA-CORE-2009-007 various security issues - -@DPATCH@ -diff -urNad drupal6-6.12~/includes/pager.inc drupal6-6.12/includes/pager.inc ---- drupal6-6.12~/includes/pager.inc 2007-12-06 10:58:30.000000000 +0100 -+++ drupal6-6.12/includes/pager.inc 2009-07-06 20:26:04.000000000 +0200 -@@ -85,7 +85,7 @@ - function pager_get_querystring() { - static $string = NULL; - if (!isset($string)) { -- $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page'), array_keys($_COOKIE))); -+ $string = drupal_query_string_encode($_REQUEST, array_merge(array('q', 'page', 'pass'), array_keys($_COOKIE))); - } - return $string; - } -diff -urNad drupal6-6.12~/includes/tablesort.inc drupal6-6.12/includes/tablesort.inc ---- drupal6-6.12~/includes/tablesort.inc 2008-01-04 10:31:48.000000000 +0100 -+++ drupal6-6.12/includes/tablesort.inc 2009-07-06 20:26:04.000000000 +0200 -@@ -136,7 +136,7 @@ - * except for those pertaining to table sorting. - */ - function tablesort_get_querystring() { -- return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order'), array_keys($_COOKIE))); -+ return drupal_query_string_encode($_REQUEST, array_merge(array('q', 'sort', 'order', 'pass'), array_keys($_COOKIE))); - } - - /** -diff -urNad drupal6-6.12~/modules/comment/comment.module drupal6-6.12/modules/comment/comment.module ---- drupal6-6.12~/modules/comment/comment.module 2009-05-13 19:15:10.000000000 +0200 -+++ drupal6-6.12/modules/comment/comment.module 2009-07-06 20:26:04.000000000 +0200 -@@ -936,7 +936,7 @@ - - if ($cid && is_numeric($cid)) { - // Single comment view. -- $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d'; -+ $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d'; - $query_args = array($cid); - if (!user_access('administer comments')) { - $query .= ' AND c.status = %d'; -@@ -957,7 +957,7 @@ - else { - // Multiple comment view - $query_count = 'SELECT COUNT(*) FROM {comments} c WHERE c.nid = %d'; -- $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d'; -+ $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d'; - - $query_args = array($nid); - if (!user_access('administer comments')) { -@@ -1468,7 +1468,7 @@ - $output = ''; - - if ($edit['pid']) { -- $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED)); -+ $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED)); - $comment = drupal_unpack($comment); - $comment->name = $comment->uid ? $comment->registered_name : $comment->name; - $output .= theme('comment_view', $comment, $node); -@@ -1778,14 +1778,14 @@ - function theme_comment_post_forbidden($node) { - global $user; - static $authenticated_post_comments; -- -+ - if (!$user->uid) { - if (!isset($authenticated_post_comments)) { - // We only output any link if we are certain, that users get permission - // to post comments by logging in. We also locally cache this information. - $authenticated_post_comments = array_key_exists(DRUPAL_AUTHENTICATED_RID, user_roles(TRUE, 'post comments') + user_roles(TRUE, 'post comments without approval')); - } -- -+ - if ($authenticated_post_comments) { - // We cannot use drupal_get_destination() because these links - // sometimes appear on /node and taxonomy listing pages. -diff -urNad drupal6-6.12~/modules/comment/comment.pages.inc drupal6-6.12/modules/comment/comment.pages.inc ---- drupal6-6.12~/modules/comment/comment.pages.inc 2008-02-07 19:53:38.000000000 +0100 -+++ drupal6-6.12/modules/comment/comment.pages.inc 2009-07-06 20:26:04.000000000 +0200 -@@ -70,7 +70,7 @@ - // $pid indicates that this is a reply to a comment. - if ($pid) { - // load the comment whose cid = $pid -- if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) { -+ if ($comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $pid, COMMENT_PUBLISHED))) { - // If that comment exists, make sure that the current comment and the parent comment both - // belong to the same parent node. - if ($comment->nid != $node->nid) { -diff -urNad drupal6-6.12~/modules/forum/forum.pages.inc drupal6-6.12/modules/forum/forum.pages.inc ---- drupal6-6.12~/modules/forum/forum.pages.inc 2007-07-26 08:48:03.000000000 +0200 -+++ drupal6-6.12/modules/forum/forum.pages.inc 2009-07-06 20:26:04.000000000 +0200 -@@ -10,6 +10,11 @@ - * Menu callback; prints a forum listing. - */ - function forum_page($tid = 0) { -+ if (!is_numeric($tid)) { -+ return MENU_NOT_FOUND; -+ } -+ $tid = (int)$tid; -+ - $topics = ''; - $forum_per_page = variable_get('forum_per_page', 25); - $sortby = variable_get('forum_order', 1); -diff -urNad drupal6-6.12~/modules/system/system.install drupal6-6.12/modules/system/system.install ---- drupal6-6.12~/modules/system/system.install 2009-04-27 14:50:13.000000000 +0200 -+++ drupal6-6.12/modules/system/system.install 2009-07-06 20:26:04.000000000 +0200 -@@ -2565,6 +2565,39 @@ - } - - /** -+ * Create a signature_format column. -+ */ -+function system_update_6051() { -+ $ret = array(); -+ -+ if (!db_column_exists('users', 'signature_format')) { -+ -+ // Set future input formats to FILTER_FORMAT_DEFAULT to ensure a safe default -+ // when incompatible modules insert into the users table. An actual format -+ // will be assigned when users save their signature. -+ -+ $schema = array( -+ 'type' => 'int', -+ 'size' => 'small', -+ 'not null' => TRUE, -+ 'default' => FILTER_FORMAT_DEFAULT, -+ 'description' => 'The {filter_formats}.format of the signature.', -+ ); -+ -+ db_add_field($ret, 'users', 'signature_format', $schema); -+ -+ // Set the format of existing signatures to the current default input format. -+ if ($current_default_filter = variable_get('filter_default_format', 0)) { -+ $ret[] = update_sql("UPDATE {users} SET signature_format = ". $current_default_filter); -+ } -+ -+ drupal_set_message("User signatures no longer inherit comment input formats. Each user's signature now has its own associated format that can be selected on the user's account page. Existing signatures have been set to your site's default input format."); -+ } -+ -+ return $ret; -+} -+ -+/** - * @} End of "defgroup updates-6.x-extra" - * The next series of updates should start at 7000. - */ -diff -urNad drupal6-6.12~/modules/user/user.install drupal6-6.12/modules/user/user.install ---- drupal6-6.12~/modules/user/user.install 2009-01-06 16:46:38.000000000 +0100 -+++ drupal6-6.12/modules/user/user.install 2009-07-06 20:26:04.000000000 +0200 -@@ -191,6 +191,13 @@ - 'default' => '', - 'description' => "User's signature.", - ), -+ 'signature_format' => array( -+ 'type' => 'int', -+ 'size' => 'small', -+ 'not null' => TRUE, -+ 'default' => 0, -+ 'description' => 'The {filter_formats}.format of the signature.', -+ ), - 'created' => array( - 'type' => 'int', - 'not null' => TRUE, -diff -urNad drupal6-6.12~/modules/user/user.module drupal6-6.12/modules/user/user.module ---- drupal6-6.12~/modules/user/user.module 2009-04-27 14:02:27.000000000 +0200 -+++ drupal6-6.12/modules/user/user.module 2009-07-06 20:26:04.000000000 +0200 -@@ -532,7 +532,7 @@ - } - else { - // Make sure we return the default fields at least. -- $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data'); -+ $fields = array('uid', 'name', 'pass', 'mail', 'picture', 'mode', 'sort', 'threshold', 'theme', 'signature', 'signature_format', 'created', 'access', 'login', 'status', 'timezone', 'language', 'init', 'data'); - } - } - -@@ -1519,6 +1519,15 @@ - '#default_value' => $edit['signature'], - '#description' => t('Your signature will be publicly displayed at the end of your comments.'), - ); -+ -+ // Prevent a "validation error" message when the user attempts to save with a default value they -+ // do not have access to. -+ if (!filter_access($edit['signature_format']) && empty($_POST)) { -+ drupal_set_message(t("The signature input format has been set to a format you don't have access to. It will be changed to a format you have access to when you save this page.")); -+ $edit['signature_format'] = FILTER_FORMAT_DEFAULT; -+ } -+ -+ $form['signature_settings']['signature_format'] = filter_form($edit['signature_format'], NULL, array('signature_format')); - } - - // Picture/avatar: -@@ -2031,7 +2040,7 @@ - // Validate signature. - if ($op == 'view') { - if (variable_get('user_signatures', 0) && !empty($comment->signature)) { -- $comment->signature = check_markup($comment->signature, $comment->format); -+ $comment->signature = check_markup($comment->signature, $comment->signature_format, FALSE); - } - else { - $comment->signature = ''; diff -Nru drupal6-6.12/includes/actions.inc drupal6-6.14/includes/actions.inc --- drupal6-6.12/includes/actions.inc 2009-02-16 09:34:30.000000000 -0500 +++ drupal6-6.14/includes/actions.inc 2009-08-10 06:39:49.000000000 -0400 @@ -1,5 +1,5 @@ array( @@ -125,6 +126,7 @@ * ) * ); * } + * @endcode * * The description is used in presenting possible actions to the user for * configuration. The type is used to present these actions in a logical @@ -312,6 +314,9 @@ * * @param $function * The name of the function to be called when this action is performed. + * @param $type + * The type of action, to describe grouping and/or context, e.g., 'node', + * 'user', 'comment', or 'system'. * @param $params * An associative array with parameter names as keys and parameter values * as values. diff -Nru drupal6-6.12/includes/bootstrap.inc drupal6-6.14/includes/bootstrap.inc --- drupal6-6.12/includes/bootstrap.inc 2009-04-29 20:13:30.000000000 -0400 +++ drupal6-6.14/includes/bootstrap.inc 2009-09-14 09:33:39.000000000 -0400 @@ -1,5 +1,5 @@ ($cache_flush + variable_get('cache_lifetime', 0))) { - // Clear the cache for everyone, cache_flush_delay seconds have + // Clear the cache for everyone, cache_lifetime seconds have // passed since the first request to clear the cache. db_query("DELETE FROM {". $table ."} WHERE expire != %d AND expire < %d", CACHE_PERMANENT, time()); variable_set('cache_flush_'. $table, 0); diff -Nru drupal6-6.12/includes/common.inc drupal6-6.14/includes/common.inc --- drupal6-6.12/includes/common.inc 2009-05-13 15:11:04.000000000 -0400 +++ drupal6-6.14/includes/common.inc 2009-09-16 15:34:14.000000000 -0400 @@ -1,5 +1,5 @@ $value) { - $key = drupal_urlencode($key); + $key = rawurlencode($key); if ($parent) { $key = $parent .'['. $key .']'; } @@ -229,7 +236,7 @@ $params[] = drupal_query_string_encode($value, $exclude, $key); } else { - $params[] = $key .'='. drupal_urlencode($value); + $params[] = $key .'='. rawurlencode($value); } } @@ -352,6 +359,11 @@ watchdog('page not found', check_plain($_GET['q']), NULL, WATCHDOG_WARNING); + // Keep old path for reference, and to allow forms to redirect to it. + if (!isset($_REQUEST['destination'])) { + $_REQUEST['destination'] = $_GET['q']; + } + $path = drupal_get_normal_path(variable_get('site_404', '')); if ($path && $path != $_GET['q']) { // Set the active item in case there are tabs to display, or other @@ -377,6 +389,11 @@ watchdog('access denied', check_plain($_GET['q']), NULL, WATCHDOG_WARNING); + // Keep old path for reference, and to allow forms to redirect to it. + if (!isset($_REQUEST['destination'])) { + $_REQUEST['destination'] = $_GET['q']; + } + $path = drupal_get_normal_path(variable_get('site_403', '')); if ($path && $path != $_GET['q']) { // Set the active item in case there are tabs to display or other @@ -414,6 +431,8 @@ * data and redirect status. */ function drupal_http_request($url, $headers = array(), $method = 'GET', $data = NULL, $retry = 3) { + global $db_prefix; + $result = new stdClass(); // Parse the URL and make sure we can handle the schema. @@ -421,11 +440,13 @@ if ($uri == FALSE) { $result->error = 'unable to parse URL'; + $result->code = -1001; return $result; } if (!isset($uri['scheme'])) { $result->error = 'missing schema'; + $result->code = -1002; return $result; } @@ -443,6 +464,7 @@ break; default: $result->error = 'invalid schema '. $uri['scheme']; + $result->code = -1003; return $result; } @@ -475,14 +497,32 @@ // host that do not take into account the port number. 'Host' => "Host: $host", 'User-Agent' => 'User-Agent: Drupal (+http://drupal.org/)', - 'Content-Length' => 'Content-Length: '. strlen($data) ); + // Only add Content-Length if we actually have any content or if it is a POST + // or PUT request. Some non-standard servers get confused by Content-Length in + // at least HEAD/GET requests, and Squid always requires Content-Length in + // POST/PUT requests. + $content_length = strlen($data); + if ($content_length > 0 || $method == 'POST' || $method == 'PUT') { + $defaults['Content-Length'] = 'Content-Length: '. $content_length; + } + // If the server url has a user then attempt to use basic authentication if (isset($uri['user'])) { $defaults['Authorization'] = 'Authorization: Basic '. base64_encode($uri['user'] . (!empty($uri['pass']) ? ":". $uri['pass'] : '')); } + // If the database prefix is being used by SimpleTest to run the tests in a copied + // database then set the user-agent header to the database prefix so that any + // calls to other Drupal pages will run the SimpleTest prefixed database. The + // user-agent is used to ensure that multiple testing sessions running at the + // same time won't interfere with each other as they would if the database + // prefix were stored statically in a file or database variable. + if (is_string($db_prefix) && preg_match("/^simpletest\d+$/", $db_prefix, $matches)) { + $defaults['User-Agent'] = 'User-Agent: ' . $matches[0]; + } + foreach ($headers as $header => $value) { $defaults[$header] = $header .': '. $value; } @@ -577,7 +617,7 @@ return; } - if ($errno & (E_ALL ^ E_NOTICE)) { + if ($errno & (E_ALL ^ E_NOTICE ^ E_DEPRECATED)) { $types = array(1 => 'error', 2 => 'warning', 4 => 'parse error', 8 => 'notice', 16 => 'core error', 32 => 'core warning', 64 => 'compile error', 128 => 'compile warning', 256 => 'user error', 512 => 'user warning', 1024 => 'user notice', 2048 => 'strict warning', 4096 => 'recoverable fatal error'); // For database errors, we want the line number/file name of the place that @@ -978,7 +1018,7 @@ * * @param $name * The name of the event. - * @param $number + * @param $threshold * The maximum number of the specified event per hour (per visitor). * @return * True if the user did not exceed the hourly threshold. False otherwise. @@ -1337,8 +1377,8 @@ * @param $options * An associative array of additional options, with the following keys: * - 'query' - * A query string to append to the link, or an array of query key/value - * properties. + * A URL-encoded query string to append to the link, or an array of query + * key/value-pairs without any URL-encoding. * - 'fragment' * A fragment identifier (or named anchor) to append to the link. * Do not include the '#' character. @@ -1846,7 +1886,9 @@ } if ($is_writable && $preprocess_css) { - $filename = md5(serialize($types) . $query_string) .'.css'; + // Prefix filename to prevent blocking by firewalls which reject files + // starting with "ad*". + $filename = 'css_'. md5(serialize($types) . $query_string) .'.css'; $preprocess_file = drupal_build_css_cache($types, $filename); $output .= ''."\n"; } @@ -2194,7 +2236,9 @@ // Aggregate any remaining JS files that haven't already been output. if ($is_writable && $preprocess_js && count($files) > 0) { - $filename = md5(serialize($files) . $query_string) .'.js'; + // Prefix filename to prevent blocking by firewalls which reject files + // starting with "ad*". + $filename = 'js_'. md5(serialize($files) . $query_string) .'.js'; $preprocess_file = drupal_build_js_cache($files, $filename); $preprocessed .= ''."\n"; } @@ -2448,6 +2492,8 @@ * characters are double escaped so PHP will still see the encoded version. * - With clean URLs, Apache changes '//' to '/', so every second slash is * double escaped. + * - This function should only be used on paths, not on query string arguments, + * otherwise unwanted double encoding will occur. * * @param $text * String to encode @@ -2614,9 +2660,9 @@ * Returns TRUE if ran successfully */ function drupal_cron_run() { - // If not in 'safe mode', increase the maximum execution time: - if (!ini_get('safe_mode')) { - set_time_limit(240); + // Try to allocate enough time to run all the hook_cron implementations. + if (function_exists('set_time_limit')) { + @set_time_limit($time_limit); } // Fetch the cron semaphore @@ -2713,9 +2759,6 @@ $searchdir = array($directory); $files = array(); - // Always search sites/all/* as well as the global directories - $searchdir[] = 'sites/all/'. $directory; - // The 'profiles' directory contains pristine collections of modules and // themes as organized by a distribution. It is pristine in the same way // that /modules is pristine for core; users should avoid changing anything @@ -2724,6 +2767,9 @@ $searchdir[] = "profiles/$profile/$directory"; } + // Always search sites/all/* as well as the global directories + $searchdir[] = 'sites/all/'. $directory; + if (file_exists("$config/$directory")) { $searchdir[] = "$config/$directory"; } @@ -3669,7 +3715,8 @@ function _drupal_flush_css_js() { $string_history = variable_get('css_js_query_string', '00000000000000000000'); $new_character = $string_history[0]; - $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; + // Not including 'q' to allow certain JavaScripts to re-use query string. + $characters = 'abcdefghijklmnoprstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; while (strpos($string_history, $new_character) !== FALSE) { $new_character = $characters[mt_rand(0, strlen($characters) - 1)]; } diff -Nru drupal6-6.12/includes/database.inc drupal6-6.14/includes/database.inc --- drupal6-6.12/includes/database.inc 2009-02-16 09:41:58.000000000 -0500 +++ drupal6-6.14/includes/database.inc 2009-09-14 06:49:34.000000000 -0400 @@ -1,5 +1,5 @@ body, etc. here. @@ -208,7 +208,19 @@ switch ($match[1]) { case '%d': // We must use type casting to int to convert FALSE/NULL/(TRUE?) - return (int) array_shift($args); // We don't need db_escape_string as numbers are db-safe + $value = array_shift($args); + // Do we need special bigint handling? + if ($value > PHP_INT_MAX) { + $precision = ini_get('precision'); + @ini_set('precision', 16); + $value = sprintf('%.0f', $value); + @ini_set('precision', $precision); + } + else { + $value = (int) $value; + } + // We don't need db_escape_string as numbers are db-safe. + return $value; case '%s': return db_escape_string(array_shift($args)); case '%n': @@ -427,6 +439,8 @@ * just map to the according database engine specific * datatypes. Use 'serial' for auto incrementing fields. This * will expand to 'int auto_increment' on mysql. + * - 'serialize': A boolean indicating whether the field will be stored + as a serialized string. * - 'size': The data size: 'tiny', 'small', 'medium', 'normal', * 'big'. This is a hint about the largest value the field will * store and determines which of the database engine specific @@ -443,7 +457,7 @@ * specify '0' as the default value for a type 'int' field it * will not work because '0' is a string containing the * character "zero", not an integer. - * - 'length': The maximal length of a type 'varchar' or 'text' + * - 'length': The maximal length of a type 'char', 'varchar' or 'text' * field. Ignored for other field types. * - 'unsigned': A boolean indicating whether a type 'int', 'float' * and 'numeric' only is signed or unsigned. Defaults to diff -Nru drupal6-6.12/includes/database.mysql-common.inc drupal6-6.14/includes/database.mysql-common.inc --- drupal6-6.12/includes/database.mysql-common.inc 2008-02-07 05:17:26.000000000 -0500 +++ drupal6-6.14/includes/database.mysql-common.inc 2009-09-14 06:49:34.000000000 -0400 @@ -1,5 +1,5 @@ filepath = $_FILES['files']['tmp_name'][$source]; $file->filemime = file_get_mimetype($file->filename); - // Rename potentially executable files, to help prevent exploits. - if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) { - $file->filemime = 'text/plain'; - $file->filepath .= '.txt'; - $file->filename .= '.txt'; - } - // If the destination is not provided, or is not writable, then use the // temporary directory. if (empty($dest) || file_check_path($dest) === FALSE) { @@ -550,9 +543,23 @@ $errors = array(); foreach ($validators as $function => $args) { array_unshift($args, $file); + // Make sure $file is passed around by reference. + $args[0] = &$file; $errors = array_merge($errors, call_user_func_array($function, $args)); } + // Rename potentially executable files, to help prevent exploits. + if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) { + $file->filemime = 'text/plain'; + $file->filepath .= '.txt'; + $file->filename .= '.txt'; + // As the file may be named example.php.txt, we need to munge again to + // convert to example.php_.txt, then create the correct destination. + $file->filename = file_munge_filename($file->filename, $extensions); + $file->destination = file_destination(file_create_path($dest .'/'. $file->filename), $replace); + } + + // Check for validation errors. if (!empty($errors)) { $message = t('The selected file %name could not be uploaded.', array('%name' => $file->filename)); @@ -640,7 +647,7 @@ * @param $file_limit * An integer specifying the maximum file size in bytes. Zero indicates that * no limit should be enforced. - * @param $$user_limit + * @param $user_limit * An integer specifying the maximum number of bytes the user is allowed. Zero * indicates that no limit should be enforced. * @return @@ -657,8 +664,8 @@ $errors[] = t('The file is %filesize exceeding the maximum file size of %maxsize.', array('%filesize' => format_size($file->filesize), '%maxsize' => format_size($file_limit))); } - $total_size = file_space_used($user->uid) + $file->filesize; - if ($user_limit && $total_size > $user_limit) { + // Save a query by only calling file_space_used() when a limit is provided. + if ($user_limit && (file_space_used($user->uid) + $file->filesize) > $user_limit) { $errors[] = t('The file is %filesize which would exceed your disk quota of %quota.', array('%filesize' => format_size($file->filesize), '%quota' => format_size($user_limit))); } } diff -Nru drupal6-6.12/includes/form.inc drupal6-6.14/includes/form.inc --- drupal6-6.12/includes/form.inc 2009-05-13 14:22:29.000000000 -0400 +++ drupal6-6.14/includes/form.inc 2009-09-16 13:54:19.000000000 -0400 @@ -1,5 +1,5 @@ $value) { - if (!locale_string_is_safe($value)) { + if ($safe_check_needed && !locale_string_is_safe($value)) { form_set_error('translations', t('The submitted string contains disallowed HTML: %string', array('%string' => $value))); watchdog('locale', 'Attempted submission of a translation string with disallowed HTML: %string', array('%string' => $value), WATCHDOG_WARNING); } @@ -1016,9 +1018,9 @@ * Text group to import PO file into (eg. 'default' for interface translations) */ function _locale_import_po($file, $langcode, $mode, $group = NULL) { - // If not in 'safe mode', increase the maximum execution time. - if (!ini_get('safe_mode')) { - set_time_limit(240); + // Try to allocate enough time to parse and import the data. + if (function_exists('set_time_limit')) { + @set_time_limit(240); } // Check if we have the language already in the database. @@ -1340,7 +1342,9 @@ if (!empty($translation)) { // Skip this string unless it passes a check for dangerous code. - if (!locale_string_is_safe($translation)) { + // Text groups other than default still can contain HTML tags + // (i.e. translatable blocks). + if ($textgroup == "default" && !locale_string_is_safe($translation)) { $report['skips']++; $lid = 0; } diff -Nru drupal6-6.12/includes/mail.inc drupal6-6.14/includes/mail.inc --- drupal6-6.12/includes/mail.inc 2009-04-27 07:07:43.000000000 -0400 +++ drupal6-6.14/includes/mail.inc 2009-06-18 08:15:44.000000000 -0400 @@ -1,5 +1,5 @@ language); - * $message['body'] = t("Dear !username\n\nThere is new content available on the site.", $variables, $language->language); + * $message['body'][] = t("Dear !username\n\nThere is new content available on the site.", $variables, $language->language); * break; * } * } diff -Nru drupal6-6.12/includes/pager.inc drupal6-6.14/includes/pager.inc --- drupal6-6.12/includes/pager.inc 2007-12-06 04:58:30.000000000 -0500 +++ drupal6-6.14/includes/pager.inc 2009-07-01 16:51:55.000000000 -0400 @@ -1,5 +1,5 @@ tbody > tr.draggable:first td:first, > tr.draggable:first td:first', table).prepend(indent).prepend(indent); this.indentAmount = $('.indentation', testCell).get(1).offsetLeft - $('.indentation', testCell).get(0).offsetLeft; $('.indentation', testCell).slice(0, 2).remove(); } // Make each applicable row draggable. - $('tr.draggable', table).each(function() { self.makeDraggable(this); }); + // Match immediate children of the parent element to allow nesting. + $('> tr.draggable, > tbody > tr.draggable', table).each(function() { self.makeDraggable(this); }); // Hide columns containing affected form elements. this.hideColumns(); @@ -112,9 +114,10 @@ // Hide the column containing this field. if (hidden && cell[0] && cell.css('display') != 'none') { // Add 1 to our indexes. The nth-child selector is 1 based, not 0 based. - var columnIndex = $('td', cell.parent()).index(cell.get(0)) + 1; - var headerIndex = $('td:not(:hidden)', cell.parent()).index(cell.get(0)) + 1; - $('tr', this.table).each(function(){ + // Match immediate children of the parent element to allow nesting. + var columnIndex = $('> td', cell.parent()).index(cell.get(0)) + 1; + var headerIndex = $('> td:not(:hidden)', cell.parent()).index(cell.get(0)) + 1; + $('> thead > tr, > tbody > tr, > tr', this.table).each(function(){ var row = $(this); var parentTag = row.parent().get(0).tagName.toLowerCase(); var index = (parentTag == 'thead') ? headerIndex : columnIndex; @@ -775,7 +778,8 @@ Drupal.tableDrag.prototype.restripeTable = function() { // :even and :odd are reversed because jquery counts from 0 and // we count from 1, so we're out of sync. - $('tr.draggable', this.table) + // Match immediate children of the parent element to allow nesting. + $('> tbody > tr.draggable, > tr.draggable', this.table) .filter(':odd').filter('.odd') .removeClass('odd').addClass('even') .end().end() diff -Nru drupal6-6.12/misc/teaser.js drupal6-6.14/misc/teaser.js --- drupal6-6.12/misc/teaser.js 2008-01-09 07:10:04.000000000 -0500 +++ drupal6-6.14/misc/teaser.js 2009-05-20 07:50:54.000000000 -0400 @@ -1,4 +1,4 @@ -// $Id: teaser.js,v 1.12 2008/01/09 12:10:04 goba Exp $ +// $Id: teaser.js,v 1.12.2.1 2009/05/20 11:50:54 goba Exp $ /** * Auto-attach for teaser behavior. @@ -71,10 +71,10 @@ $(include).parent().parent().before(button); // Extract the teaser from the body, if set. Otherwise, stay in joined mode. - var text = body.val().split('', 2); - if (text.length == 2) { - teaser[0].value = trim(text[0]); - body[0].value = trim(text[1]); + var text = body.val().split(''); + if (text.length >= 2) { + teaser[0].value = trim(text.shift()); + body[0].value = trim(text.join('')); $(teaser).attr('disabled', ''); $('input', button).val(Drupal.t('Join summary')).toggle(join_teaser, split_teaser); } diff -Nru drupal6-6.12/modules/aggregator/aggregator.info drupal6-6.14/modules/aggregator/aggregator.info --- drupal6-6.12/modules/aggregator/aggregator.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/aggregator/aggregator.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/block/block.info drupal6-6.14/modules/block/block.info --- drupal6-6.12/modules/block/block.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/block/block.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/blog/blog.info drupal6-6.14/modules/blog/blog.info --- drupal6-6.12/modules/blog/blog.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/blog/blog.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/blog/blog.pages.inc drupal6-6.14/modules/blog/blog.pages.inc --- drupal6-6.12/modules/blog/blog.pages.inc 2008-02-08 16:15:12.000000000 -0500 +++ drupal6-6.14/modules/blog/blog.pages.inc 2009-09-14 11:08:00.000000000 -0400 @@ -1,5 +1,5 @@ uid, 0, variable_get('feed_default_items', 10)); - $channel['title'] = $account->name ."'s blog"; + $channel['title'] = t("!name's blog", array('!name' => $account->name)); $channel['link'] = url('blog/'. $account->uid, array('absolute' => TRUE)); $items = array(); @@ -103,7 +103,7 @@ */ function blog_feed_last() { $result = db_query_range(db_rewrite_sql("SELECT n.nid, n.created FROM {node} n WHERE n.type = 'blog' AND n.status = 1 ORDER BY n.created DESC"), 0, variable_get('feed_default_items', 10)); - $channel['title'] = variable_get('site_name', 'Drupal') .' blogs'; + $channel['title'] = t('!site_name blogs', array('!site_name' => variable_get('site_name', 'Drupal'))); $channel['link'] = url('blog', array('absolute' => TRUE)); $items = array(); diff -Nru drupal6-6.12/modules/blogapi/blogapi.info drupal6-6.14/modules/blogapi/blogapi.info --- drupal6-6.12/modules/blogapi/blogapi.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/blogapi/blogapi.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/book/book.info drupal6-6.14/modules/book/book.info --- drupal6-6.12/modules/book/book.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/book/book.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/color/color.info drupal6-6.14/modules/color/color.info --- drupal6-6.12/modules/color/color.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/color/color.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/color/color.module drupal6-6.14/modules/color/color.module --- drupal6-6.12/modules/color/color.module 2009-02-25 06:47:37.000000000 -0500 +++ drupal6-6.14/modules/color/color.module 2009-05-16 12:09:21.000000000 -0400 @@ -1,5 +1,5 @@ uid) { // '===' because we want to modify anonymous users too + if ($edit['uid'] === $user->uid && isset($user->name)) { // '===' Need to modify anonymous users as well. $edit['name'] = $user->name; } @@ -936,7 +936,7 @@ if ($cid && is_numeric($cid)) { // Single comment view. - $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d'; + $query = 'SELECT c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d'; $query_args = array($cid); if (!user_access('administer comments')) { $query .= ' AND c.status = %d'; @@ -957,7 +957,7 @@ else { // Multiple comment view $query_count = 'SELECT COUNT(*) FROM {comments} c WHERE c.nid = %d'; - $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d'; + $query = 'SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, c.homepage, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data, c.thread, c.status FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = %d'; $query_args = array($nid); if (!user_access('administer comments')) { @@ -1384,7 +1384,7 @@ $form['cid'] = array('#type' => 'value', '#value' => !empty($edit['cid']) ? $edit['cid'] : NULL); $form['pid'] = array('#type' => 'value', '#value' => !empty($edit['pid']) ? $edit['pid'] : NULL); $form['nid'] = array('#type' => 'value', '#value' => $edit['nid']); - $form['uid'] = array('#type' => 'value', '#value' => !empty($edit['uid']) ? $edit['uid'] : NULL); + $form['uid'] = array('#type' => 'value', '#value' => !empty($edit['uid']) ? $edit['uid'] : 0); // Only show save button if preview is optional or if we are in preview mode. // We show the save button in preview mode even if there are form errors so that @@ -1468,7 +1468,7 @@ $output = ''; if ($edit['pid']) { - $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED)); + $comment = db_fetch_object(db_query('SELECT c.*, u.uid, u.name AS registered_name, u.signature, u.signature_format, u.picture, u.data FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.cid = %d AND c.status = %d', $edit['pid'], COMMENT_PUBLISHED)); $comment = drupal_unpack($comment); $comment->name = $comment->uid ? $comment->registered_name : $comment->name; $output .= theme('comment_view', $comment, $node); @@ -1778,22 +1778,22 @@ function theme_comment_post_forbidden($node) { global $user; static $authenticated_post_comments; - + if (!$user->uid) { if (!isset($authenticated_post_comments)) { // We only output any link if we are certain, that users get permission // to post comments by logging in. We also locally cache this information. $authenticated_post_comments = array_key_exists(DRUPAL_AUTHENTICATED_RID, user_roles(TRUE, 'post comments') + user_roles(TRUE, 'post comments without approval')); } - + if ($authenticated_post_comments) { // We cannot use drupal_get_destination() because these links // sometimes appear on /node and taxonomy listing pages. if (variable_get('comment_form_location_'. $node->type, COMMENT_FORM_SEPARATE_PAGE) == COMMENT_FORM_SEPARATE_PAGE) { - $destination = 'destination='. drupal_urlencode("comment/reply/$node->nid#comment-form"); + $destination = 'destination='. rawurlencode("comment/reply/$node->nid#comment-form"); } else { - $destination = 'destination='. drupal_urlencode("node/$node->nid#comment-form"); + $destination = 'destination='. rawurlencode("node/$node->nid#comment-form"); } if (variable_get('user_register', 1)) { diff -Nru drupal6-6.12/modules/comment/comment.pages.inc drupal6-6.14/modules/comment/comment.pages.inc --- drupal6-6.12/modules/comment/comment.pages.inc 2008-02-07 13:53:38.000000000 -0500 +++ drupal6-6.14/modules/comment/comment.pages.inc 2009-07-01 16:51:55.000000000 -0400 @@ -1,5 +1,5 @@ nid != $node->nid) { diff -Nru drupal6-6.12/modules/contact/contact.info drupal6-6.14/modules/contact/contact.info --- drupal6-6.12/modules/contact/contact.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/contact/contact.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/dblog/dblog.info drupal6-6.14/modules/dblog/dblog.info --- drupal6-6.12/modules/dblog/dblog.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/dblog/dblog.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/dblog/dblog.install drupal6-6.14/modules/dblog/dblog.install --- drupal6-6.12/modules/dblog/dblog.install 2009-01-06 10:46:36.000000000 -0500 +++ drupal6-6.14/modules/dblog/dblog.install 2009-09-14 04:19:24.000000000 -0400 @@ -1,5 +1,5 @@ 'URL of the origin of the event.', ), 'referer' => array( - 'type' => 'varchar', - 'length' => 128, - 'not null' => TRUE, - 'default' => '', + 'type' => 'text', + 'not null' => FALSE, 'description' => 'URL of referring page.', ), 'hostname' => array( @@ -102,3 +100,21 @@ return $schema; } +/** + * @defgroup updates-6.x-extra Extra database logging updates for 6.x + * @{ + */ + +/** + * Allow longer referrers. + */ +function dblog_update_6000() { + $ret = array(); + db_change_field($ret, 'watchdog', 'referer', 'referer', array('type' => 'text', 'not null' => FALSE)); + return $ret; +} + +/** + * @} End of "defgroup updates-6.x-extra" + * The next series of updates should start at 7000. + */ diff -Nru drupal6-6.12/modules/filter/filter.info drupal6-6.14/modules/filter/filter.info --- drupal6-6.12/modules/filter/filter.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/filter/filter.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/filter/filter.module drupal6-6.14/modules/filter/filter.module --- drupal6-6.12/modules/filter/filter.module 2008-12-10 17:30:14.000000000 -0500 +++ drupal6-6.14/modules/filter/filter.module 2009-08-10 07:04:37.000000000 -0400 @@ -1,5 +1,5 @@ uid) { - $forum_types['disallowed'] = array('title' => t('You are not allowed to post new content in forum.')); + $forum_types['disallowed'] = array('title' => t('You are not allowed to post new content in the forum.')); } // The user is not logged-in; and denied access to create any new forum content type. else { - $forum_types['login'] = array('title' => t('Login to post new content in forum.', array('@login' => url('user/login', array('query' => drupal_get_destination())))), 'html' => TRUE); + $forum_types['login'] = array('title' => t('Login to post new content in the forum.', array('@login' => url('user/login', array('query' => drupal_get_destination())))), 'html' => TRUE); } } $variables['links'] = $forum_types; diff -Nru drupal6-6.12/modules/forum/forum.pages.inc drupal6-6.14/modules/forum/forum.pages.inc --- drupal6-6.12/modules/forum/forum.pages.inc 2007-07-26 02:48:03.000000000 -0400 +++ drupal6-6.14/modules/forum/forum.pages.inc 2009-07-01 16:51:55.000000000 -0400 @@ -1,5 +1,5 @@ 0) { - $status = '

'. t('If the site is experiencing problems with permissions to content, you may have to rebuild the permissions cache. Possible causes for permission problems are disabling modules or configuration changes to permissions. Rebuilding will remove all privileges to posts, and replace them with permissions based on the current modules and settings.') .'

'; - $status .= '

'. t('Rebuilding may take some time if there is a lot of content or complex permission settings. After rebuilding has completed posts will automatically use the new permissions.') .'

'; - - $form['access'] = array( - '#type' => 'fieldset', - '#title' => t('Node access status'), - ); - $form['access']['status'] = array('#value' => $status); - $form['access']['rebuild'] = array( - '#type' => 'submit', - '#value' => t('Rebuild permissions'), - '#submit' => array('node_configure_access_submit'), - ); - } + $status = '

'. t('If the site is experiencing problems with permissions to content, you may have to rebuild the permissions cache. Possible causes for permission problems are disabling modules or configuration changes to permissions. Rebuilding will remove all privileges to posts, and replace them with permissions based on the current modules and settings.') .'

'; + $status .= '

'. t('Rebuilding may take some time if there is a lot of content or complex permission settings. After rebuilding has completed posts will automatically use the new permissions.') .'

'; + + $form['access'] = array( + '#type' => 'fieldset', + '#title' => t('Node access status'), + ); + $form['access']['status'] = array('#value' => $status); + $form['access']['rebuild'] = array( + '#type' => 'submit', + '#value' => t('Rebuild permissions'), + '#submit' => array('node_configure_access_submit'), + ); $form['default_nodes_main'] = array( '#type' => 'select', '#title' => t('Number of posts on main page'), '#default_value' => variable_get('default_nodes_main', 10), diff -Nru drupal6-6.12/modules/node/node.info drupal6-6.14/modules/node/node.info --- drupal6-6.12/modules/node/node.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/node/node.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/node/node.module drupal6-6.14/modules/node/node.module --- drupal6-6.12/modules/node/node.module 2009-02-16 09:39:40.000000000 -0500 +++ drupal6-6.14/modules/node/node.module 2009-09-16 14:21:06.000000000 -0400 @@ -1,5 +1,5 @@ = 1"; - $result = db_query($sql, $node->nid); - return (db_result($result)); + $sql = "SELECT 1 FROM {node_access} WHERE (nid = 0 OR nid = %d) $grants_sql AND grant_$op >= 1"; + $result = db_query_range($sql, $node->nid, 0, 1); + return (bool) db_result($result); } // Let authors view their own nodes. @@ -2318,9 +2318,9 @@ batch_set($batch); } else { - // If not in 'safe mode', increase the maximum execution time. - if (!ini_get('safe_mode')) { - set_time_limit(240); + // Try to allocate enough time to rebuild node grants + if (function_exists('set_time_limit')) { + @set_time_limit($time_limit); } $result = db_query("SELECT nid FROM {node}"); while ($node = db_fetch_object($result)) { @@ -2709,7 +2709,7 @@ '#default_value' => $owner_name, '#autocomplete_path' => 'user/autocomplete', '#size' => '6', - '#maxlength' => '7', + '#maxlength' => '60', '#description' => $description, ); } diff -Nru drupal6-6.12/modules/node/node.tpl.php drupal6-6.14/modules/node/node.tpl.php --- drupal6-6.12/modules/node/node.tpl.php 2008-01-25 16:21:44.000000000 -0500 +++ drupal6-6.14/modules/node/node.tpl.php 2009-08-10 06:48:33.000000000 -0400 @@ -1,5 +1,5 @@ '. t('This site supports OpenID, a secure way to log into many websites using a single username and password. OpenID can reduce the necessity of managing many usernames and passwords for many websites.', array('@openid-net' => url('http://openid.net'))) .'

'; - $output .= '

'. t('To use OpenID you must first establish an identity on a public or private OpenID server. If you do not have an OpenID and would like one, look into one of the free public providers. You can find out more about OpenID at this website.', array('@openid-providers' => url('http://openid.net/wiki/index.php/OpenIDServers'), '@openid-net' => url('http://openid.net'))) .'

'; + $output = '

'. t('This site supports OpenID, a secure way to log into many websites using a single username and password. OpenID can reduce the necessity of managing many usernames and passwords for many websites.', array('@openid-net' => 'http://openid.net')) .'

'; + $output .= '

'. t('To use OpenID you must first establish an identity on a public or private OpenID server. If you do not have an OpenID and would like one, look into one of the free public providers. You can find out more about OpenID at this website.', array('@openid-providers' => 'http://openid.net/get/', '@openid-net' => 'http://openid.net')) .'

'; $output .= '

'. t('If you already have an OpenID, enter the URL to your OpenID server below (e.g. myusername.openidprovider.com). Next time you login, you will be able to use this URL instead of a regular username and password. You can have multiple OpenID servers if you like; just keep adding them here.') .'

'; return $output; @@ -113,7 +113,7 @@ ); $form['openid.return_to'] = array('#type' => 'hidden', '#value' => url('openid/authenticate', array('absolute' => TRUE, 'query' => drupal_get_destination()))); } - elseif ($form_id == 'user_register' && isset($_SESSION['openid'])) { + elseif ($form_id == 'user_register' && isset($_SESSION['openid']['values'])) { // We were unable to auto-register a new user. Prefill the registration // form with the values we have. $form['name']['#default_value'] = $_SESSION['openid']['values']['name']; @@ -192,8 +192,8 @@ } if (isset($services[0]['types']) && is_array($services[0]['types']) && in_array(OPENID_NS_2_0 .'/server', $services[0]['types'])) { - $identity = 'http://specs.openid.net/auth/2.0/identifier_select'; - } + $claimed_id = $identity = 'http://specs.openid.net/auth/2.0/identifier_select'; + } $authn_request = openid_authentication_request($claimed_id, $identity, $return_to, $assoc_handle, $services[0]['version']); if ($services[0]['version'] == 2) { diff -Nru drupal6-6.12/modules/openid/openid.pages.inc drupal6-6.14/modules/openid/openid.pages.inc --- drupal6-6.12/modules/openid/openid.pages.inc 2008-07-09 17:48:28.000000000 -0400 +++ drupal6-6.14/modules/openid/openid.pages.inc 2009-09-16 15:34:14.000000000 -0400 @@ -1,5 +1,5 @@ TRUE)); - openid_begin($form_state['values']['openid_identifier'], $return_to); - } } +function openid_user_add_submit($form, &$form_state) { + $return_to = url('user/'. arg(1) .'/openid', array('absolute' => TRUE)); + openid_begin($form_state['values']['openid_identifier'], $return_to); +} + + /** * Present a confirmation form to delete the specified OpenID identity from the system. * diff -Nru drupal6-6.12/modules/path/path.info drupal6-6.14/modules/path/path.info --- drupal6-6.12/modules/path/path.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/path/path.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/php/php.info drupal6-6.14/modules/php/php.info --- drupal6-6.12/modules/php/php.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/php/php.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/ping/ping.info drupal6-6.14/modules/ping/ping.info --- drupal6-6.12/modules/ping/ping.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/ping/ping.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/poll/poll.info drupal6-6.14/modules/poll/poll.info --- drupal6-6.12/modules/poll/poll.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/poll/poll.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/poll/poll.module drupal6-6.14/modules/poll/poll.module --- drupal6-6.12/modules/poll/poll.module 2008-12-18 10:46:20.000000000 -0500 +++ drupal6-6.14/modules/poll/poll.module 2009-09-14 06:16:54.000000000 -0400 @@ -1,5 +1,5 @@ 'Internal path to page visited (relative to Drupal root.)', ), 'url' => array( - 'type' => 'varchar', - 'length' => 255, + 'type' => 'text', 'not null' => FALSE, 'description' => 'Referrer URI.', ), @@ -119,3 +118,21 @@ return $schema; } +/** + * @defgroup updates-6.x-extra Extra statistics updates for 6.x + * @{ + */ + +/** + * Allow longer referrers. + */ +function statistics_update_6000() { + $ret = array(); + db_change_field($ret, 'accesslog', 'url', 'url', array('type' => 'text', 'not null' => FALSE)); + return $ret; +} + +/** + * @} End of "defgroup updates-6.x-extra" + * The next series of updates should start at 7000. + */ diff -Nru drupal6-6.12/modules/syslog/syslog.info drupal6-6.14/modules/syslog/syslog.info --- drupal6-6.12/modules/syslog/syslog.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/syslog/syslog.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/system/system.admin.inc drupal6-6.14/modules/system/system.admin.inc --- drupal6-6.12/modules/system/system.admin.inc 2009-02-25 06:38:41.000000000 -0500 +++ drupal6-6.14/modules/system/system.admin.inc 2009-09-16 14:02:32.000000000 -0400 @@ -1,5 +1,5 @@ name; - while ($theme_key) { - if (file_exists($themes[$theme_key]->info['screenshot'])) { + // Create a list which includes the current theme and all its base themes. + if (isset($themes[$theme->name]->base_themes)) { + $theme_keys = array_keys($themes[$theme->name]->base_themes); + $theme_keys[] = $theme->name; + } + else { + $theme_keys = array($theme->name); + } + // Look for a screenshot in the current theme or in its closest ancestor. + foreach (array_reverse($theme_keys) as $theme_key) { + if (isset($themes[$theme_key]) && file_exists($themes[$theme_key]->info['screenshot'])) { $screenshot = $themes[$theme_key]->info['screenshot']; break; } - $theme_key = isset($themes[$theme_key]->info['base theme']) ? $themes[$theme_key]->info['base theme'] : NULL; } $screenshot = $screenshot ? theme('image', $screenshot, t('Screenshot for %theme theme', array('%theme' => $theme->info['name'])), '', array('class' => 'screenshot'), FALSE) : t('no screenshot'); @@ -263,6 +269,7 @@ * Process system_themes_form form submissions. */ function system_themes_form_submit($form, &$form_state) { + drupal_clear_css_cache(); // Store list of previously enabled themes and disable all themes $old_theme_list = $new_theme_list = array(); @@ -618,10 +625,6 @@ * The form array. */ function system_modules($form_state = array()) { - drupal_rebuild_theme_registry(); - node_types_rebuild(); - menu_rebuild(); - cache_clear_all('schema', 'cache'); // Get current list of modules. $files = module_rebuild_cache(); @@ -933,6 +936,10 @@ drupal_set_message(t('The configuration options have been saved.')); } + drupal_rebuild_theme_registry(); + node_types_rebuild(); + menu_rebuild(); + cache_clear_all('schema', 'cache'); drupal_clear_css_cache(); drupal_clear_js_cache(); @@ -1357,7 +1364,7 @@ * * @ingroup forms */ -function system_clear_cache_submit(&$form_state, $form) { +function system_clear_cache_submit($form, &$form_state) { drupal_flush_all_caches(); drupal_set_message(t('Caches cleared.')); } @@ -1843,7 +1850,7 @@ /** * This function formats the content of an administrative block. * - * @param $block + * @param $content * An array containing information about the block. It should * include a 'title', a 'description' and a formatted 'content'. * @ingroup themeable @@ -1971,7 +1978,7 @@ * An array of requirements. * @ingroup themeable */ -function theme_status_report(&$requirements) { +function theme_status_report($requirements) { $i = 0; $output = ''; foreach ($requirements as $requirement) { diff -Nru drupal6-6.12/modules/system/system.info drupal6-6.14/modules/system/system.info --- drupal6-6.12/modules/system/system.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/system/system.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/system/system.install drupal6-6.14/modules/system/system.install --- drupal6-6.12/modules/system/system.install 2009-04-27 08:50:13.000000000 -0400 +++ drupal6-6.14/modules/system/system.install 2009-09-14 09:59:58.000000000 -0400 @@ -1,5 +1,5 @@ array( 'fit' => array('fit'), - 'tab_parent' => array('tab_parent') + 'tab_parent' => array('tab_parent'), + 'tab_root_weight_title' => array(array('tab_root', 64), 'weight', 'title'), ), 'primary key' => array('path'), ); @@ -1063,6 +1064,7 @@ array( 'modules' => array(array('type', 12), 'status', 'weight', 'filename'), 'bootstrap' => array(array('type', 12), 'status', 'bootstrap', 'weight', 'filename'), + 'type_name' => array(array('type', 12), 'name'), ), ); @@ -2037,7 +2039,7 @@ if ($module_blocks = module_invoke($module, 'block', 'list')) { foreach ($module_blocks as $delta => $block) { if (isset($block['cache'])) { - db_query("UPDATE {blocks} SET cache = %d WHERE module = '%s' AND delta = %d", $block['cache'], $module, $delta); + db_query("UPDATE {blocks} SET cache = %d WHERE module = '%s' AND delta = '%s'", $block['cache'], $module, $delta); } } } @@ -2565,6 +2567,57 @@ } /** + * Create a signature_format column. + */ +function system_update_6051() { + $ret = array(); + + if (!db_column_exists('users', 'signature_format')) { + + // Set future input formats to FILTER_FORMAT_DEFAULT to ensure a safe default + // when incompatible modules insert into the users table. An actual format + // will be assigned when users save their signature. + + $schema = array( + 'type' => 'int', + 'size' => 'small', + 'not null' => TRUE, + 'default' => FILTER_FORMAT_DEFAULT, + 'description' => 'The {filter_formats}.format of the signature.', + ); + + db_add_field($ret, 'users', 'signature_format', $schema); + + // Set the format of existing signatures to the current default input format. + if ($current_default_filter = variable_get('filter_default_format', 0)) { + $ret[] = update_sql("UPDATE {users} SET signature_format = ". $current_default_filter); + } + + drupal_set_message("User signatures no longer inherit comment input formats. Each user's signature now has its own associated format that can be selected on the user's account page. Existing signatures have been set to your site's default input format."); + } + + return $ret; +} + +/** + * Add a missing index on the {menu_router} table. + */ +function system_update_6052() { + $ret = array(); + db_add_index($ret, 'menu_router', 'tab_root_weight_title', array(array('tab_root', 64), 'weight', 'title')); + return $ret; +} + +/** + * Add a {system} index on type and name. + */ +function system_update_6053() { + $ret = array(); + db_add_index($ret, 'system', 'type_name', array(array('type', 12), 'name')); + return $ret; +} + +/** * @} End of "defgroup updates-6.x-extra" * The next series of updates should start at 7000. */ diff -Nru drupal6-6.12/modules/system/system.js drupal6-6.14/modules/system/system.js --- drupal6-6.12/modules/system/system.js 2008-02-07 13:23:30.000000000 -0500 +++ drupal6-6.14/modules/system/system.js 2009-07-21 04:59:12.000000000 -0400 @@ -1,4 +1,4 @@ -// $Id: system.js,v 1.14.2.1 2008/02/07 18:23:30 goba Exp $ +// $Id: system.js,v 1.14.2.2 2009/07/21 08:59:12 goba Exp $ /** * Internal function to check using Ajax if clean URLs can be enabled on the @@ -102,7 +102,7 @@ // Attach keyup handler to custom format inputs. $('input.custom-format:not(.date-time-processed)', context).addClass('date-time-processed').keyup(function() { var input = $(this); - var url = Drupal.settings.dateTime.lookup +(Drupal.settings.dateTime.lookup.match(/\?q=/) ? "&format=" : "?format=") + Drupal.encodeURIComponent(input.val()); + var url = Drupal.settings.dateTime.lookup +(Drupal.settings.dateTime.lookup.match(/\?q=/) ? "&format=" : "?format=") + encodeURIComponent(input.val()); $.getJSON(url, function(data) { $("div.description span", input.parent()).html(data); }); diff -Nru drupal6-6.12/modules/system/system.module drupal6-6.14/modules/system/system.module --- drupal6-6.12/modules/system/system.module 2009-05-13 15:11:04.000000000 -0400 +++ drupal6-6.14/modules/system/system.module 2009-09-16 15:34:14.000000000 -0400 @@ -1,5 +1,5 @@ '. t('It is important that update.php is run every time a module is updated to a newer version.', array('@update-php' => $base_url .'/update.php')) .'

'; $output .= '

'. t('You can find all administration tasks belonging to a particular module on the administration by module page.', array('@by-module' => url('admin/by-module'))) .'

'; $output .= '

'. t('To extend the functionality of your site, a number of contributed modules are available.', array('@modules' => 'http://drupal.org/project/modules')) .'

'; + $output .= '

'. t('To clear all caches, click the button on the Performance page.', array('@performance' => url('admin/settings/performance', array('fragment' => 'edit-clear')))) .'

'; return $output; case 'admin/build/modules/uninstall': return '

'. t('The uninstall process removes all data related to a module. To uninstall a module, you must first disable it. Not all modules support this feature.') .'

'; @@ -893,10 +894,15 @@ // Now that we've established all our master themes, go back and fill in // data for subthemes. foreach ($sub_themes as $key) { - $base_key = system_find_base_theme($themes, $key); - if (!$base_key) { + $themes[$key]->base_themes = system_find_base_themes($themes, $key); + // Don't proceed if there was a problem with the root base theme. + if (!current($themes[$key]->base_themes)) { continue; } + $base_key = key($themes[$key]->base_themes); + foreach (array_keys($themes[$key]->base_themes) as $base_theme) { + $themes[$base_theme]->sub_themes[$key] = $themes[$key]->info['name']; + } // Copy the 'owner' and 'engine' over if the top level theme uses a // theme engine. if (isset($themes[$base_key]->owner)) { @@ -918,6 +924,49 @@ } /** + * Find all the base themes for the specified theme. + * + * Themes can inherit templates and function implementations from earlier themes. + * + * @param $themes + * An array of available themes. + * @param $key + * The name of the theme whose base we are looking for. + * @param $used_keys + * A recursion parameter preventing endless loops. + * @return + * Returns an array of all of the theme's ancestors; the first element's value + * will be NULL if an error occurred. + */ +function system_find_base_themes($themes, $key, $used_keys = array()) { + $base_key = $themes[$key]->info['base theme']; + // Does the base theme exist? + if (!isset($themes[$base_key])) { + return array($base_key => NULL); + } + + $current_base_theme = array($base_key => $themes[$base_key]->info['name']); + + // Is the base theme itself a child of another theme? + if (isset($themes[$base_key]->info['base theme'])) { + // Do we already know the base themes of this theme? + if (isset($themes[$base_key]->base_themes)) { + return $themes[$base_key]->base_themes + $current_base_theme; + } + // Prevent loops. + if (!empty($used_keys[$base_key])) { + return array($base_key => NULL); + } + $used_keys[$base_key] = TRUE; + return system_find_base_themes($themes, $base_key, $used_keys) + $current_base_theme; + } + // If we get here, then this is our parent theme. + return $current_base_theme; +} + +/** + * This function has been deprecated in favor of system_find_base_themes(). + * * Recursive function to find the top level base theme. Themes can inherit * templates and function implementations from earlier themes. * @@ -1844,7 +1893,7 @@ */ function _system_zonelist() { $timestamp = time(); - $zonelist = array(-11, -10, -9.5, -9, -8, -7, -6, -5, -4, -3.5, -3, -2, -1, 0, 1, 2, 3, 3.5, 4, 5, 5.5, 5.75, 6, 6.5, 7, 8, 9, 9.5, 10, 10.5, 11, 11.5, 12, 12.75, 13, 14); + $zonelist = array(-11, -10, -9.5, -9, -8, -7, -6, -5, -4.5, -4, -3.5, -3, -2.5, -2, -1, 0, 1, 2, 3, 3.5, 4, 5, 5.5, 5.75, 6, 6.5, 7, 8, 9, 9.5, 10, 10.5, 11, 11.5, 12, 12.75, 13, 14); $zones = array(); foreach ($zonelist as $offset) { $zone = $offset * 3600; diff -Nru drupal6-6.12/modules/taxonomy/taxonomy.info drupal6-6.14/modules/taxonomy/taxonomy.info --- drupal6-6.12/modules/taxonomy/taxonomy.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/taxonomy/taxonomy.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ version = VERSION core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/taxonomy/taxonomy.module drupal6-6.14/modules/taxonomy/taxonomy.module --- drupal6-6.12/modules/taxonomy/taxonomy.module 2009-05-13 15:38:33.000000000 -0400 +++ drupal6-6.14/modules/taxonomy/taxonomy.module 2009-09-15 07:13:08.000000000 -0400 @@ -1,5 +1,5 @@ 'cron', - 'op' => '', + 'op' => 'run', ); // Cron does not act on any specific object. $object = NULL; diff -Nru drupal6-6.12/modules/update/update.compare.inc drupal6-6.14/modules/update/update.compare.inc --- drupal6-6.12/modules/update/update.compare.inc 2009-04-29 14:43:11.000000000 -0400 +++ drupal6-6.14/modules/update/update.compare.inc 2009-06-09 07:08:32.000000000 -0400 @@ -1,5 +1,5 @@ t('This project is no longer supported, and is no longer available for download. Disabling everything included by this project is strongly recommended!'), ); break; + case 'not-fetched': + $projects[$project]['status'] = UPDATE_NOT_FETCHED; + $projects[$project]['reason'] = t('Failed to fetch available update data'); + break; + default: // Assume anything else (e.g. 'published') is valid and we should // perform the rest of the logic in this function. diff -Nru drupal6-6.12/modules/update/update.fetch.inc drupal6-6.14/modules/update/update.fetch.inc --- drupal6-6.12/modules/update/update.fetch.inc 2009-04-29 14:43:11.000000000 -0400 +++ drupal6-6.14/modules/update/update.fetch.inc 2009-07-21 04:59:12.000000000 -0400 @@ -1,5 +1,5 @@ $project) { $url = _update_build_fetch_url($project, $site_key); - $xml = drupal_http_request($url); - if (isset($xml->data)) { - $data[] = $xml->data; + $fetch_url_base = _update_get_fetch_url_base($project); + if (empty($fail[$fetch_url_base]) || count($fail[$fetch_url_base]) < $max_fetch_attempts) { + $xml = drupal_http_request($url); + if (isset($xml->data)) { + $data[] = $xml->data; + } + else { + // Connection likely broken; prepare to give up. + $fail[$fetch_url_base][$key] = 1; + } + } + else { + // Didn't bother trying to fetch. + $fail[$fetch_url_base][$key] = 1; } } @@ -58,14 +71,21 @@ $available = $parser->parse($data); } if (!empty($available) && is_array($available)) { + // Record the projects where we failed to fetch data. + foreach ($fail as $fetch_url_base => $failures) { + foreach ($failures as $key => $value) { + $available[$key]['project_status'] = 'not-fetched'; + } + } $frequency = variable_get('update_check_frequency', 1); _update_cache_set('update_available_releases', $available, time() + (60 * 60 * 24 * $frequency)); - variable_set('update_last_check', time()); - watchdog('update', 'Fetched information about all available new releases and updates.', array(), WATCHDOG_NOTICE, l(t('view'), 'admin/reports/updates')); + watchdog('update', 'Attempted to fetch information about all available new releases and updates.', array(), WATCHDOG_NOTICE, l(t('view'), 'admin/reports/updates')); } else { watchdog('update', 'Unable to fetch any information about available new releases and updates.', array(), WATCHDOG_ERROR, l(t('view'), 'admin/reports/updates')); } + // Whether this worked or not, we did just (try to) check for updates. + variable_set('update_last_check', time()); return $available; } @@ -85,26 +105,41 @@ * @see update_get_projects() */ function _update_build_fetch_url($project, $site_key = '') { - $default_url = variable_get('update_fetch_url', UPDATE_DEFAULT_URL); - if (!isset($project['info']['project status url'])) { - $project['info']['project status url'] = $default_url; - } $name = $project['name']; - $url = $project['info']['project status url']; + $url = _update_get_fetch_url_base($project); $url .= '/'. $name .'/'. DRUPAL_CORE_COMPATIBILITY; - if (!empty($site_key)) { + // Only append a site_key and the version information if we have a site_key + // in the first place, and if this is not a disabled module or theme. We do + // not want to record usage statistics for disabled code. + if (!empty($site_key) && (strpos($project['project_type'], 'disabled') === FALSE)) { $url .= (strpos($url, '?') === TRUE) ? '&' : '?'; $url .= 'site_key='; - $url .= drupal_urlencode($site_key); + $url .= rawurlencode($site_key); if (!empty($project['info']['version'])) { $url .= '&version='; - $url .= drupal_urlencode($project['info']['version']); + $url .= rawurlencode($project['info']['version']); } } return $url; } /** + * Return the base of the URL to fetch available update data for a project. + * + * @param $project + * The array of project information from update_get_projects(). + * @return + * The base of the URL used for fetching available update data. This does + * not include the path elements to specify a particular project, version, + * site_key, etc. + * + * @see _update_build_fetch_url() + */ +function _update_get_fetch_url_base($project) { + return isset($project['info']['project status url']) ? $project['info']['project status url'] : variable_get('update_fetch_url', UPDATE_DEFAULT_URL); +} + +/** * Perform any notifications that should be done once cron fetches new data. * * This method checks the status of the site using the new data and depending diff -Nru drupal6-6.12/modules/update/update.info drupal6-6.14/modules/update/update.info --- drupal6-6.12/modules/update/update.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/modules/update/update.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ package = Core - optional core = 6.x -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027" diff -Nru drupal6-6.12/modules/update/update.module drupal6-6.14/modules/update/update.module --- drupal6-6.12/modules/update/update.module 2009-05-13 14:27:58.000000000 -0400 +++ drupal6-6.14/modules/update/update.module 2009-06-09 07:08:32.000000000 -0400 @@ -1,5 +1,5 @@ '', 'description' => "User's signature.", ), + 'signature_format' => array( + 'type' => 'int', + 'size' => 'small', + 'not null' => TRUE, + 'default' => 0, + 'description' => 'The {filter_formats}.format of the signature.', + ), 'created' => array( 'type' => 'int', 'not null' => TRUE, diff -Nru drupal6-6.12/modules/user/user.module drupal6-6.14/modules/user/user.module --- drupal6-6.12/modules/user/user.module 2009-04-27 08:02:27.000000000 -0400 +++ drupal6-6.14/modules/user/user.module 2009-09-16 13:54:19.000000000 -0400 @@ -1,5 +1,5 @@ 5, '#title' => t('History'), ); - $account->content['summary']['member_for'] = array( + $account->content['summary']['member_for'] = array( '#type' => 'user_profile_item', '#title' => t('Member for'), '#value' => format_interval(time() - $account->created), @@ -1519,6 +1519,15 @@ '#default_value' => $edit['signature'], '#description' => t('Your signature will be publicly displayed at the end of your comments.'), ); + + // Prevent a "validation error" message when the user attempts to save with a default value they + // do not have access to. + if (!filter_access($edit['signature_format']) && empty($_POST)) { + drupal_set_message(t("The signature input format has been set to a format you don't have access to. It will be changed to a format you have access to when you save this page.")); + $edit['signature_format'] = FILTER_FORMAT_DEFAULT; + } + + $form['signature_settings']['signature_format'] = filter_form($edit['signature_format'], NULL, array('signature_format')); } // Picture/avatar: @@ -1596,7 +1605,7 @@ db_query('DELETE FROM {authmap} WHERE uid = %d', $uid); $variables = array('%name' => $account->name, '%email' => '<'. $account->mail .'>'); watchdog('user', 'Deleted user: %name %email.', $variables, WATCHDOG_NOTICE); - module_invoke_all('user', 'delete', $edit, $account); + user_module_invoke('delete', $edit, $account); } /** @@ -1920,8 +1929,12 @@ function _user_categories($account) { $categories = array(); + // Only variables can be passed by reference workaround. + $null = NULL; foreach (module_list() as $module) { - if ($data = module_invoke($module, 'user', 'categories', NULL, $account, '')) { + $function = $module .'_user'; + // $null and $account need to be passed by reference. + if (function_exists($function) && ($data = $function('categories', $null, $account, ''))) { $categories = array_merge($data, $categories); } } @@ -2031,7 +2044,7 @@ // Validate signature. if ($op == 'view') { if (variable_get('user_signatures', 0) && !empty($comment->signature)) { - $comment->signature = check_markup($comment->signature, $comment->format); + $comment->signature = check_markup($comment->signature, $comment->signature_format, FALSE); } else { $comment->signature = ''; @@ -2392,7 +2405,11 @@ // Display the registration form. if (!$admin) { - $form['user_registration_help'] = array('#value' => filter_xss_admin(variable_get('user_registration_help', ''))); + $form['user_registration_help'] = array( + '#value' => filter_xss_admin(variable_get('user_registration_help', '')), + // Ensure that user registration help appears above profile fields. + '#weight' => -20, + ); } // Merge in the default user edit fields. @@ -2459,7 +2476,9 @@ function _user_forms(&$edit, $account, $category, $hook = 'form') { $groups = array(); foreach (module_list() as $module) { - if ($data = module_invoke($module, 'user', $hook, $edit, $account, $category)) { + $function = $module .'_user'; + // $edit and $account need to be passed by reference. + if (function_exists($function) && ($data = $function($hook, $edit, $account, $category))) { $groups = array_merge_recursive($data, $groups); } } diff -Nru drupal6-6.12/modules/user/user.pages.inc drupal6-6.14/modules/user/user.pages.inc --- drupal6-6.12/modules/user/user.pages.inc 2008-10-08 16:12:18.000000000 -0400 +++ drupal6-6.14/modules/user/user.pages.inc 2009-09-16 13:54:20.000000000 -0400 @@ -1,5 +1,5 @@ type == 'forum') { - return '
'. $content .'
'; - } - else { - return '

'. t('Comments') .'

'. $content .'
'; - } -} - -/** * Override or insert PHPTemplate variables into the templates. */ function phptemplate_preprocess_page(&$vars) { @@ -62,6 +50,15 @@ } /** + * Add a "Comments" heading above comments except on forum pages. + */ +function garland_preprocess_comment_wrapper(&$vars) { + if ($vars['content'] && $vars['node']->type != 'forum') { + $vars['content'] = '

'. t('Comments') .'

'. $vars['content']; + } +} + +/** * Returns the rendered local tasks. The default implementation renders * them as tabs. Overridden to split the secondary tasks. * diff -Nru drupal6-6.12/themes/pushbutton/pushbutton.info drupal6-6.14/themes/pushbutton/pushbutton.info --- drupal6-6.12/themes/pushbutton/pushbutton.info 2009-05-13 15:45:50.000000000 -0400 +++ drupal6-6.14/themes/pushbutton/pushbutton.info 2009-09-16 15:40:27.000000000 -0400 @@ -5,8 +5,8 @@ core = 6.x engine = phptemplate -; Information added by drupal.org packaging script on 2009-05-13 -version = "6.12" +; Information added by drupal.org packaging script on 2009-09-16 +version = "6.14" project = "drupal" -datestamp = "1242243950" +datestamp = "1253130027"